Welcome to Splunk Answers, a Q&A forum for users to find answers to questions about deploying, managing, and using Splunk products. Contributors of all backgrounds and levels of expertise come here to find solutions to their issues, and to help other users in the Splunk community with their own questions.

This quick tutorial will help you get started with key features to help you find the answers you need. You will receive 10 karma points upon successful completion!

Refine your search:

How to configure Universal Forwarder to receive UDP traffic

0

I am trying to forward events from my current SIEM to the Universal forwarder using UDP and port 9514. When I run a trace I see data coming in but I don't see it being picked up the forwarder. I have tried adding the host = IP of the forwarding device.

People who like this

1 Answer

I'm not sure the UF can forward UDP as I've never seen that configuration.The accepted Best Practice for syslog is to send syslog data to a dedicated syslog server (rsyslog, syslog-ng, etc.). A UF is installed on the syslog server to forward data to Splunk.

So it sounds like you already have a UDP listener defined. If that's true, you may need to select a different port for the SIEM.UFs usually don't have a GUI so I hope you're looking at the right thing. Typically, one modifies a UF configuration by editing .conf files or via CLI commands. In a large installation, a deployment server (DS) is used. In your case, I would edit inputs.conf to add a UDP stanza for the SIEM. Make sure you're not using a port that's already in use.Also, if you haven't already defined your mcafeesiem sourcetype on your indexers, be sure to do that before changing the forwarder.